Security system

ABSTRACT

An electronic access control system comprising a lock cylinder and one or more user keys for use in operating the lock. Housed within the lock cylinder is a microprocessor and a memory. Each user key has an ID chip in which is embedded (at the time of manufacture) a unique ID number drawn from a pool of greater than 280,000,000,000,000 combinations, which number cannot be changed once it has been embedded in the key. A user key can be used to successfully open the lock if its unique ID number has been added to a list stored in the lock memory. The system further comprises an edit key which can be used to add or delete ID numbers of user keys from the list of valid keys stored in the lock memory.

This invention relates to a security system and, more particularly, to asecurity system comprising a mechanical lock and key and including anelectronic access control facility to prevent unauthorised opening ofthe lock.

Electronic locks have a number of advantages over normal mechanicallocks and many such electronic locks (or mechanical locks including anelectronic access control facility) have been proposed in the past.

U.S. Pat. No. 5,552,777 describes a mechanical lock and key having anelectronic access control feature for preventing opening of the lock,even with the proper mechanical key, unless prescribed conditions aremet. The lock cylinder is fitted with a small ID or “serial number” chipwhich is read when a voltage is applied. The mechanical key has a keyhead with a battery, microprocessor and database. When the key isinserted into the lock, the lock conveys its ID to the microprocessor inthe key, where it is compared against one or more stored ID's todetermine if the key is authorised to open that lock and, if so, asignal or code is transmitted from the key to the lock allowing it to beopened; otherwise, the lock will not open. A record is made in thedatabase (in the key) as to each instance of opening of each lock whichthe key fits.

PCT/US01/01531 describes a mechanical lock and key. The key comprises ahousing in which is disposed a battery and a PCB. Mounted on the PCB is,among other things, a microprocessor. The lock includes a cylinderwithin which is mounted a PCB. Mounted on the PCB is, among otherthings, a lock processor and a memory. Electrical contact is madebetween the PCB in the key and the PCB in the lock when the key isinserted in the lock. In use, the key microprocessor and the lockmicroprocessor communicate with one another to allow the lock to beunlocked. Each key and lock has a unique identification code (stored intheir respective microprocessors), which identification codes may beprogrammed in the respective microprocessors when the key or lock ismanufactured. When a key engages a lock it sends power to the lockmicroprocessor. The lock microprocessor sends a signal corresponding toits identification code to the key microprocessor. The keymicroprocessor then sends a key identification code and a password tothe lock microprocessor. The lock microprocessor determines whether thekey identification code is authorised to open the lock. If so, the lockmicroprocessor sends a signal to the key microprocessor, which inresponse provides power from the battery to a solenoid in the lockmechanism to unlock the lock. Both the key microprocessor and the lockmicroprocessor may store within their respective associated memoriesactivities occurring with respect to the key and lock. The keymicroprocessor and lock microprocessor are programmed (i.e. keyidentification codes and passwords can be added and deleted) by means ofan external programming device such as a Palm Pilot™ or the like.

U.S. Pat. No. 5,367,295 describes a mechanical key and lock cylinderincluding an electronic access control feature. The key is fitted with amemory cell. The lock cylinder is provided with a processor board forprocessing data which is communicated thereto from the memory cell inthe key via a connector unit in the cylinder. When the key is insertedinto the lock cylinder, identification data stored in the memory cell istransmitted from the key to the processor board. The memory cell isprogrammable and password protected so that authorised persons can gainaccess to its contents to add/delete identification data as required.The identification data received from a key memory cell is compared bythe processor board with authorised identification data and, if a matchis found the lock will open.

GB-2291106-A describes an electronic key and a key reader (mounted in,for example, a keyhole or lock cylinder). The body of the keyincorporates an electronic chip which, on activation, is capable oftransmitting a stream of digital data through a two-wire contact inorder to release or activate the lock, via a control system. The controlsystem is housed within an external device plugged into the key reader.Thus, when the key is inserted into the key reader, a stream of digitaldata is transmitted through the two-wire contact to the key reader andthen from the key reader to the above-mentioned external device. Allcommunication to and from the system is carried out via the externalcontrol system. Keys are programmed using a separate key console orcontrol computer.

U.S. Pat. No. 5,749,253 describes an electronic access control system.The access control system comprises a central host computer coupled to aplurality of door controllers disposed within respective door knobs orthe like of doors required to be controlled. The doors themselves arelocked by means of electromechanical locking apparatus, such as asolenoid mechanism to electrically actuate a mechanical locking systemto remove or enable withdrawal of a latch, so that a door or otherbarrier to entry can be opened or accessed. The host computercontinuously monitors the status of the door controllers to determine ifthere are any users at the doors. In the event that a user is detected(by insertion of a key), the host computer disables all door controllersin the security network and then enables each one in turn and checks forthe existence of a key. If no key is detected, the controller isdisabled again and the next one is enabled, and so on until thecontroller having a key inserted therein is identified. Once it has beenidentified, identification data is read from the key by the hostcomputer and compared against a database containing lists of permittedkeys for that particular controller. Only if there is a match, the hostcomputer transmits a signal to actuate the solenoid and open the lock.

U.S. Pat. No. 5,974,367 describes an electronic lock and key arrangementin which three keys, namely a master key, an audit key and a servicekey, are provided for use in conjunction with the lock. When a key isinserted into the lock it supplies power to the lock and the lockresponds with a request for key status. If a valid master key isinserted, the result is that a password is written from the master keyto the electronic lock. When an audit key is inserted, the lock requestsa password and, if the audit key provides a valid password, the locktransmits to the audit key first identification information. Finally, ifa valid service key is inserted, it transmits second identificationinformation to the electronic lock which causes the lock to be opened.Thus, the system requires the use of three keys, even though the masterkey and the audit key are unable to unlock the lock.

U.S. Pat. No. 6,000,609 describes an electromechanical lock and a keytherefor. The lock cylinder includes (among other things) amicroprocessor, a memory, a solenoid, and a battery. The microprocessorcan be programmed as to authorised users, entry times, etc. using aspecial programming key, which itself is programmed by a computer. Userkeys have a memory cell or ID chip which is read by the microprocessorwhen a key is inserted into the lock and the lock will only open if allpredetermined conditions for opening are met.

EP-A-0277432 describes an electronic lock and key system in which anelectronically coded circuit is embedded in the handle of the key, andis arranged to transmit a predetermined digital code to an electricalterminal within the lock assembly, to enable the lock to be opened.

U.S. Pat. No. 5,140,317 describes an electronic security systemcomprising an electronic lock and an electronic key, each of which isprovided with a microprocessor controller and a memory for storing dataincluding an ID code. When a key is inserted in the lock, it transmitsits ID code to the lock microprocessor controller, which compares the IDcode against one or more stored ID codes and opens the lock only if amatch is found. Further, the lock microprocessor changes the ID codestored in the key memory upon insertion of the key in the lock, suchthat the key can only be used to open the lock once, and must then bereprogrammed by a host computer with the updated ID code for the lock.

The systems and arrangements described above tend to suffer from one ormore disadvantages including undue complexity and lack of versatility oradaptability to different lock configurations, as well as therequirement in many cases for a complex and expensive key managementsystem to manage access to the lock. Furthermore, in all cases, the IDcode required by the key to open the lock is programmed into the keymemory and into the lock memory from an external source on a requirementbasis. In other words, when a key is required to be authorised for usewith a particular lock, an ID code is generated by an externalprogramming device and programmed into the key memory and the lockmemory. This process increases the complexity of the key managementsystem and may leave the system vulnerable to a security breach.

We have now devised an improved electronic access control system whichis effective, relatively simple, and versatile enough to be used in manydifferent types of lock configuration.

Thus, in accordance with the present invention, there is provided anelectronic access control system for application to a lock mechanismcomprising a lock and one or more keys for operating said lock, saidelectronic access control system comprising first memory means disposedin or on said one or more keys, identification data which is unique to arespect key being stored in a non-changeable, non-deletable manner insaid first memory means, the electronic access control system furthercomprising second memory means and processing means disposed in or onsaid lock for storing data representative of one or more keys authorisedto operate said lock, for reading the identification data stored in oron a key which is applied to or inserted into said lock, and for causingsaid lock to operate only if the read identification data relates to akey authorised to operate said lock.

In a preferred embodiment the one or more keys authorised to operatesaid lock are selected from a pool of keys, each of which is providedwith unique identification data, such as a unique ID number or the like.

Preferably, identification data representative of a key authorised tooperate said lock may be read from the first memory means and stored insecond memory means when that key is applied to or inserted into saidlock. The second memory means and processing means may be arranged tooperate in at least two selectable modes, an edit mode and a normalmode, wherein in the edit mode, identification data can be added to ordeleted from the second memory means, and in the normal mode, the lockcan be operated by the one or more authorised keys.

In one embodiment, one key of a set of keys associated with a particularlock is defined in the second memory means and processing means as an“edit key”, said edit key being arranged to cause the second memorymeans and processing means to operate in said edit mode. Preferably, theedit key causes the second memory means and processing means to enterthe edit mode upon application or insertion thereof to the lock.Beneficially, the edit key is not configured to operate said lock.

Preferably, all identification data stored in the second memory meanscan be deleted by application or insertion of the edit key to the lockfor a predetermined period of time.

In a preferred embodiment of the invention, in the edit mode,identification data associated with one or more keys authorised tooperate the lock can be added to the second memory means by applicationor insertion to the lock of the respective one or more keys. In a morepreferred embodiment, in the edit mode, if a key whose identificationdata is not stored in the second memory means is applied or insertedinto the lock, the identification data is read and stored in the secondmemory means, and if a key whose identification data is stored in thesecond memory means is applied or inserted into the lock, theidentification data is deleted from the second memory means.

Beneficially, one or more keys may each be provided with indicator meanswhich is operated when a key applied or inserted into the lock isdetermined to be authorised to operate the lock.

Preferably, when it is determined that a key applied or inserted intothe lock is authorised to operate the lock, the lock will remainoperable for a predetermined period of time only, following which it isarranged to return to its inoperable state.

One or more additional memory means may be provided in or on the one ormore keys, the or each additional memory means being arranged to storethe unique identification data relating to another key. In this case,the system may comprise a key writing unit for copying the uniqueidentification data relating to a first key (from the first memorymeans) to an additional memory means in or on a second key, the uniqueidentification data relating to the second key remaining in itsrespective first memory means. Further, in a preferred embodiment, whena key is applied or inserted into the lock, the processing meansdetermines if the unique identification data relating to said key isstored in the second memory means, if so it causes the lock to operate,if not, it determines if any additional identification data is stored inthe one or more additional storage means, if so, it determines if theadditional data is stored in the second memory means, and if so, itcauses the lock to operate.

The present invention extends to a method of providing an electronicaccess control system for application to a lock mechanism comprising alock and one or more keys for operating said lock, said methodcomprising the steps of providing a plurality of keys in or on each ofwhich is stored unique identification data in a non-changeable,non-deletable manner, selecting one or more of said plurality of keysand storing the unique identification data relating to the or eachselected key of one or more keys in memory means provided in or on saidlock, reading the identification data stored in or on a key which isapplied to or inserted into said lock, causing said lock to operate onlyif the read identification data relates to a key authorised to operatesaid lock.

A specific embodiment of the present invention will now be describedbyway of example only and with reference to the accompanying drawings,in which:

FIG. 1 is a schematic diagram illustrating the layout of a keywriter foruse with an exemplary embodiment of the present invention; and

FIG. 2 is a schematic diagram of a four-level keying system whichillustrates an electronic access control system according to anexemplary embodiment of the present invention.

The electronic access control system of an exemplary embodiment of thepresent invention comprises a lock cylinder and one or more user keysfor use in operating the lock. Housed within the lock cylinder is amicroprocessor and a memory. Each user key has an ID chip in which isembedded (at the time of manufacture of that chip) a unique ID numberdrawn from a pool of greater than 280,000,000,000,000 combinations,which number cannot be changed once it has been embedded in the key. Theuser key may also be provided with additional storage locations. A userkey can be used to successfully open the lock if its unique ID number ora secondary number stored in one of the key's additional storagelocations (to be described later)has been added to a list stored in thelock memory.

The system further comprises an edit key which can be used to add ordelete ID numbers of user keys from the list of valid keys stored in thelock memory. In general, it is preferred that only one key be defined asthe edit key for each cylinder, although under some circumstances, asingle edit key may be defined for use with several different cylinders.It will be appreciated that the edit key cannot be used to operate thelock; its function is solely to enable the contents of the lock memoryto be edited.

The edit key may be used to clear the user key list stored in the lockmemory. This is achieved by inserting the edit key in the lock andholding it there for a predetermined period of time, say twenty seconds.The lock microprocessor identifies the insertion of the edit key for thepredetermined period of time, and clears or deletes the list ofauthorised user keys from the lock memory. It will be appreciated that,since the edit key is not configured to activate the lock and it cannotrotate the inner section of the cylinder, it must be held in thecylinder for the predetermined period of time as it will not be retainedby the cylinder. In a preferred embodiment, the edit key is providedwith a light emitting diode (LED) which goes on when the edit key isinserted in the cylinder and goes off when it is removed or when thepredetermined period of time has elapsed indicating that the user keylist stored in the lock memory has been cleared.

Once the lock memory has been cleared, one or more new user keys willhave to be added before the lock can be used. A mode in which the lockmemory can be edited, i.e. user keys can be added or selectively deletedfrom the lock memory, hereinafter referred to as the “cylinder editmode”, may be entered by removing the edit key from the cylinder beforethe above-mentioned predetermined time has elapsed, i.e. before the editkey LED goes off. If it is not required to edit the lock memory, i.e.the edit key has been inserted into the cylinder by mistake, removingthe key and then re-inserting it into the cylinder will restore normaloperation (“normal mode”), and is indicated by the edit key LED flashingon once.

In order to add a user key to the lock memory, it is first necessary toenter the cylinder edit mode as described above, in which mode simplyinserting a previously unlisted user key into the cylinder and thenremoving it will add that user key to the list of authorised user keysstored in the lock memory. In other words, when a user key is insertedinto the cylinder during the cylinder edit mode, the lock processorreads the unique ID number embedded in the user key memory and, if thatID number is not already stored in the lock memory, it is added thereto.In a preferred embodiment, the user keys are provided with a lightemitting diode (LED) or the like and, in order to indicate that apreviously unlisted user key has been added to the lock memory, the LEDmay be arranged to go on for a predetermined period of time, say twoseconds, and then go off. The cylinder may also be unlocked for thatpredetermined period of time as a further indicator of a successfuladdition. Further previously unlisted user keys may be added to the lockmemory in the same manner, perhaps up to a predetermined maximum of say18 or 20 keys per cylinder.

Once all the required user keys have been added to the lock memory, thecylinder edit mode may be terminated by inserting the edit key into thecylinder again and then removing it, thereby returning the mode ofoperation of the cylinder to normal mode (indicated by the edit key LEDflashing on once) as described above.

In order to delete a user key from the lock memory, the cylinder editmode must first be entered, as described above. The listed user key tobe deleted from the lock memory may then be inserted into the cylinderto delete it from the lock memory. In other words, when a user key isinserted into the cylinder during the cylinder edit mode, the lockprocessor reads the unique ID number embedded in the user key memoryand, if that ID number is already stored in the lock memory, it isdeleted therefrom. A successful deletion may once again be indicated bythe user key LED flashing on once. Further user keys may be deleted fromthe lock memory in the same manner and, when all required keys have beendeleted, cylinder edit mode can be terminated as described above.

Once a user key ID number has been added to the list of ID numbersstored in the lock memory, that user key can be used to operate the lockcylinder. When the user key is placed on the cylinder receptacle, thecylinder processor reads the ID number embedded therein and, if itmatches an ID number stored in the lock memory, the cylinder is unlocked(perhaps, for example, because power is caused to be supplied to thesolenoid forming part of one particular type of lock mechanism) and freeto rotate. The system may be arranged such that, when an authorised userkey is inserted into the cylinder, the cylinder is only unlocked for apredetermined period of time, say 1.5 seconds, irrespective of how longthe key is actually in the lock. Thus, when an authorised user key isinserted, the cylinder is unlocked for 1.5 seconds and the inner sectionof the cylinder is free to rotate so that the lock can be opened. Theinner section of the cylinder is free to rotate in any direction andthrough as many cycles as required while the cylinder is unlocked. Thedirection and angle of rotation will, of course, be dictated by theparticular lock mechanism into which the cylinder is inserted.

This period during which the cylinder is unlocked may be indicated bythe user key LED going on and remaining on for the duration of theperiod during which the cylinder is unlocked, and then going off toindicate that the cylinder is locked once again.

In one specific embodiment of the invention, as the key starts to rotatethe inner section of the cylinder, an outer channel in the receptacleengages with a lug on the key and prevents the removal of the key untilit is returned to the starting position. Of course, the period duringwhich the cylinder is unlocked may expire before it is returned to itsstarting position, in which case the mechanical layout of the cylindermay be such the key may continue to rotate the cylinder until it returnsto the point where the key may be removed. At this point the mechanismwill prevent any further rotation.

In the event that a user key which is not listed in the lock memory isinserted into the cylinder, this is determined by the cylinder processorand the cylinder will remain locked, i.e. the key will not be able torotate the inner section of the cylinder. This may be indicated by theuser key LED flashing on and off for a predetermined period of time

Thus, in the basic system described above, an edit key and the requireduser keys are used to add and delete user key ID numbers from the lockmemory. However, if a key is lost or stolen, such that it is notavailable for use to delete its ID number from the lock memory, the onlyway in which it can be deleted from the lock memory is to clear theentire lock memory and re-enter the ID numbers of the required user keysusing the procedure described above. This is not particularlyproblematic when only a small number of user keys are involved, but asthe list grows so does the inconvenience of this approach. At thisstage, a PC-based key management system could be employed (as in many ofthe prior art systems) whereby the ID numbers of the required keys maybe entered into the lock memory via a PC rather than by using the keysthemselves. However, it is much more advantageous to provide a simpler,non PC-based system which can be used with the system described above toease the task of key management. The second aspect of the presentinvention is primarily concerned with such a system.

Thus, in the basic system described above, the number of user keys whichmay be used with each cylinder may be limited (either physically orpractically) to say 18 or 20. However, the second aspect of the presentinvention is concerned with the expansion of the basic system to allow alarger, or unlimited, number of user keys to be used with any onecylinder, whilst still employing the basic key management functionprovided within the cylinder as described above.

This aspect of the present invention employs a user key having its‘primary’ ID number embedded therein, as described above, and alsohaving one or more additional storage locations which can be loaded witha ‘secondary’ number shared by other user keys. For the purposes of thisdescription, a user key having only a primary ID number embedded therein(and no secondary ID number) will be referred to as a primary user key,and a user key having both a primary ID number and a secondary ID numberwill be referred to as a secondary user number.

In this exemplary embodiment of the present invention, both the edit keyand the user keys have storage locations in addition to their primary IDnumber. It will be appreciated that the edit keys and the user keys aresubstantially identical—it is the internal list of keys stored in thelock memory which defines the function of any particular key.

The primary number location contains the key's unique primary ID number.This number is fixed and may not be altered at any time. As such itprovides a unique identifier for its respective key.

Each key may also have (say) four secondary number locations which canbe loaded with up to four secondary ID numbers. A secondary number isessentially a copy of another key's primary ID number and can be changedby a “keywriter” (to be described below). A user key having a secondaryID number which is included in the list of authorised key numbers storedin the lock memory can be used to unlock the cylinder. Thus, secondarynumbers allow copies of user keys to be made, thereby allowing any onecylinder to be operated by a large pool of keys. In the case where thenumber of user key ID numbers which can be stored in the lock memory islimited to, for example, 18 or 20, up to 18 or 20 sets of user keys canbe used with each cylinder. However, for security reasons, it ispreferred that only the primary ID number of a user key ,may be used inconjunction with the edit key in order to modify the key list stored inthe lock memory.

Each key may also be provided with an additional secure storage locationwhich may be reused until it is “locked”, in which state the memory mayonly be read. This additional storage location may be used to storeextra security key numbers.

Thus, the secondary number(s) to be stored in a user key is read from aselected user key's primary number and loaded into the secondary numberstorage location of the user key by a ‘keywriter’. This process ispreferably made more secure by only allowing a user key's primary IDnumber to be copied—no key's secondary number(s) can be copied—such thatin order to make a copy of a key, it is necessary to be in possession ofthe original. In this case, it is preferred that only secondary userkeys be used to operate the lock, with the primary user key(s) and theedit key being kept in a secure location for use only by authorisedpersons for the purposes of duplication of keys and deletion of user keynumbers from the lock memory. Further, in this preferred embodiment ofthe invention, the edit key only uses its primary ID number as itsidentification and cannot be copied, and secondary user keys cannot beused in conjunction with the edit key in order to add or delete keysfrom the cylinder list.

When the cylinder processor reads a key, it first reads the key's uniqueprimary ID number and tries to match it with its stored list. If thisnumber matches the edit key's unique primary number, it will entereither the cylinder edit mode or exit it, depending on its previousstate. If the unique primary ID number matches one of its stored userkey numbers, it will either operate the cylinder (in normal mode) ordelete that key number from the lock memory (in cylinder edit mode).

On the other hand, if no match is found for the unique primary ID numberand the cylinder is cylinder edit mode, it will add that key number tothe list of user key numbers stored in the lock memory. If the cylinderis not in cylinder edit mode, the cylinder will then look for the key'ssecondary ID number(s). If it finds such a number, it will try to matchit to the list of user keys stored in the lock memory and, if a match isfound, it will operate the cylinder. In the event that no secondary IDnumber(s) are found or none such numbers match any of the user keysstored in the lock memory, the key will be rejected and the cylinderwill remain locked.

The above-mentioned keywriter will now be described in more detail. Thekeywriter according to this exemplary embodiment of the presentinvention consists of a box with two key receptacles, one, or morepreferably two, Dallas iButton receptacles, a sounder (optional), aliquid crystal display (LCD) and four button switches. The layout ofthis exemplary keywriter is illustrated in FIG. 1 of the drawings. Oneof the key receptacles (in this case, the left-hand key receptacle) andat least one of the Dallas iButton receptacles are used for the primarykey source contact, and the right-hand key receptacle is used for thedestination secondary key contact. The provision of two Dallas iButtonreceptacles enables the keywriter to read and write iButtons.

Dallas iButtons are stainless steel cans that resemble button cellbatteries but contain the same chip as is within the keys. These buttonsare robust and relatively inexpensive and do not require a battery, sothey are considered well suited for use as sources of the primary IDnumbers. For security reasons, such buttons can only be used, inconjunction with the keywriter because they would not be able tointerface directly with and therefore operate the cylinder.

A button switch may be provided which is pressed to initiate anoperation and the LCD and optional sounder are used to communicate theresult of that operation. Power for the keywriter is provided by theprimary or secondary user keys being used.

Operation of this exemplary embodiment of the key writer will now bedescribed in more detail. As stated above, the keywriter may be used tomake copies of keys for use with a lock processor. The version describedbelow may be supplied for use with a replacement lock.

In order to copy the unique primary ID number of a key to a secondarylocation of another key, the primary user key or Dallas iButton isinserted into one of the left-hand receptacles of the keywriter. The keyto be written to is inserted into the right-hand receptacle. Uponpressing the button switch, the primary ID number of the left-hand userkey will be copied to a secondary storage location of the right-handuser key. In this exemplary embodiment of the present invention, up tofour secondary storage locations in a single key may written to in thisway. If all of the secondary storage locations on the key being writtento are full, this fact will be indicated on the LCD.

In order to remove a secondary ID number from a key, the key in questionis inserted into the right-hand receptacle and each of the secondarystorage locations are displayed in turn on the LCD by pressing thebutton switch, such that a selected location can be cleared as required.

In more detail, in order to write a number to the destination key, placethe source of the Primary Number onto the source receptacle and thedestination key whose Secondary location is to be written to in thedestination receptacle. If the source of the Primary number is a keywith a charged battery, the Keywriter will power-up. If the source is aniButton, then the Keywriter will not power-up until the destination keyis placed onto the destination receptacle. When the Keywriter powers-upand if the Primary Number of the source device has been readsuccessfully, the following display will appear.

SRC=123456789ABC

1=CONT 2-CHECK#

Note# is the battery level symbol, this will show empty for an iButton.123456789ABC represents the number that has been read.

This display shows the Primary Number of the source key and its batterylevel. If the source key is either not present or has not been readsuccessfully the following display will appear

NO SOURCE KEY

1=CONT 2=CHECK#

In this case the key may be read again by pressing button 2 until it isread successfully. When the source Primary number has been readsuccessfully, press button 1 to continue. If the following displayappears

NO DEST KEY

1=CONT 2-CHECK#

This means that the destination key has not been detected. Press button2 to check again. When the destination key has been detected, thefollowing display will appear

01=CLEAR

1ADD 2CLR 3NXT#

This display shows that Secondary Location 01 of the destination key isclear and may be written to. If the following display appears

01=CBA987654321

1ADD 2CLR 3NXT#

Note CBA987654321 represents the Secondary Number that has been read.

This shows that the Secondary Location 01 already contains a number. Ifbutton 2 is now pressed this location will be cleared and the followingdisplay will appear

01=CLEAR

1ADD 2CLR 3NXT#

If button 1 is pressed, Secondary Location 01 will have the PrimaryNumber of the source key written to it and the following display willappear

01=123456789ABC

1ADD 2CLR 3NXT#

Note 123456789ABC represents the source key's Primary Number that hasbeen written into Secondary Location 01 in the destination key.

Pressing button 3 at this point will cause the Keywriter to read thenext Secondary location. The following display will appear

02=DCBA98765432

1ADD 2CLR 3NXT#

if the Secondary Location 02 contains a number (represented byDCBA98765432), or the following

02=CLEAR

1 ADD 2CLR 3NXT#

if the location is clear. Pressing button 3 again will show the contentsof Secondary Location 03, and pressing it again will show the contentsof Secondary Location 04. At each of these stages, the displayedSecondary Location may be written to (press button 1), cleared (pressbutton 2) or left unaltered by pressing button 3 and moving the displayto the next Secondary Location. Secondary Locations do not have to becleared before they are written to; pressing button 1 while thedisplayed Secondary Location is not clear will cause that location to beoverwritten by the source key's Primary Number.

Pressing button 3 whilst Secondary Location 04 is being displayed, willcause the Keywriter to go back to the initial display of

SRC=123456789ABC

1=CONT 2=CHECK#

if the source key is still present, or

NO SOURCE KEY

1=CONT 2=CHECK#

if the source key has been removed.

In order to add further numbers to the destination key's SecondaryLocations, a new source key's Primary Number may be read and displayed,and then this may be added to the selected destination key's SecondaryLocation by stepping through the displayed Secondary Locations bypressing button 3, until the required location is displayed. Pressingbutton 1 at this point will write the source number to this location.

If the destination key needs to be cleared and no numbers loaded intoit, then this can be done without the need to place a source key in theKeywriter. This is done as follows

With no keys in the Keywriter and with the Keywriter powered-down, placethe key to be cleared in the destination key receptacle. If the key'sbattery is charged, the following display will appear

NO SOURCE KEY

1=CONT 2=CHECK#.

Press button 1 and the following display will appear

01=CBA987654321

1ADD 2CLR 3NXT#

Pressing button 2 will clear this location and the following displaywill appear

01=CLEAR

1ADD 2CLR 3NXT#

All the locations may be cleared, by using button 3 to move to the nextlocation to be cleared.

Pressing button 3 when Secondary Location 04 is displayed, will bringthe display back to the initial display of

NO SOURCE KEY

1CONT 2=CHECK#

The key may be removed at any time to halt the procedure.

As in the case of clearing the Secondary Locations, the source key doesnot need to be present in order to view the Secondary Locations of akey. This may be done as follows

With no keys in the Keywriter and with the Keywriter powered-down, placethe key to be viewed in the destination key receptacle. If the key'sbattery is charged, the following display will appear

NO SOURCE KEY

1=CONT 2=CHECK#

Press button 1 and the following display will appear

01-CBA987654321

1ADD 2CLR 3NXT#

or

01=CLEAR

1ADD 2CLR 3NXT#

Pressing button 3 will cause the next Secondary Location to be displayed

02=DCBA98765432

1ADD 2CLR 3NXT#

or

02=CLEAR

1ADD 2CLR 3NXT#

Pressing button 3 when Secondary Location 04 is displayed, will bringthe display back to the initial display of

NO SOURCE KEY

1=CONT 2=CHECK#

The key may be removed at any time to halt the procedure.

As stated above, the cylinder processor recognises an edit key by usingits primary ID number only, such that the keywriter cannot be used tomake copies of the edit key. However, in this exemplary embodiment ofthe present invention, the secondary storage locations in the edit key(which is physically identical in every way to the user keys and is onlydistinguished therefrom by its definition within the cylinder processor)have a special function in that the keywriter can be used to load IDnumbers from other keys into these locations and these numbers can betransferred from the edit key to the lock memory. In other words, theedit key can be used as a carrier of key numbers. It will be appreciatedthat, in this exemplary embodiment of the invention, only the edit keycan do this because the cylinder processor recognises it by its primaryID number only.

The cylinder treats these secondary numbers stored on the edit key inthe same manner as if it were being presented with the respectiveprimary (during edit mode), if a secondary number stored thereon is notpresent in the list stored in the lock memory, that number is added tothe list. If the number is already present in the list, it is deletedtherefrom. As before, additional primary user key numbers may be addedto the list while the cylinder is still in edit mode. Edit mode isterminated by removing the edit key and then touching it to the cylinderagain, in response to which the edit key LED will flash once asdescribed above.

The above-described method and apparatus has a number of advantages:

-   -   The same key hardware can be used for edit keys, primary user        keys and secondary user keys.    -   The basic system using only primary user keys, without the        keywriting hardware, permits a very low-cost entry-level system    -   This entry-level system can be expanded at any time by the use        of a keywriter    -   The use of duplicated secondary numbers in the secondary user        keys does not preclude the use of audit trail software (i.e.        software for recording details of each use of a key in a lock)        because each key still has its own unique primary ID number.

The simplest key and cylinder system would consist of an Edit Key andone Primary User Key. This system could be expanded by the user to addmore Primary User Keys for the cylinder up to a maximum of 20 PrimaryUser Keys. There would not be a Keywriter and so all the keys would beusing their unique Primary Numbers to active the cylinder; loss of a

Primary User Key would require the re-entering of the cylinder's keylist in order to exclude the lost key.

Additional cylinders could be added to the system and could use acompletely different set of keys or have some shared keys or all keysshared.

Whilst this approach allows the simplest of cylinder and keyarrangements to be configured without the need for additional PC-basedsoftware (therefore minimising the entry cost for the system), furtherexpansion to complex master keying is also possible.

Consider the complex four-level keying system illustrated in FIG. 2 ofthe drawings. This may be accomplished using the cylinder as follows:

For this illustration the unique Primary Numbers of the keys, will berepresented by letters and the Edit Key, will be represented by theletters “ED”. The Great Grand Master may operate all the cylinders inthe complete set. In order to accomplish this, its number (GGM) must bepresent in the key lists of all the cylinders in the set. For the GrandMaster Key A, its number (GMA) must be present in all cylinders of the“A” set. For the Master AA, its number (MAA) must be present in all thecylinders of the “AA” subset. For the AA change keys, their number (AA1,AA2 etc) need only be present in the cylinder that they are to operate.

Thus the key list within the cylinder operated by change key AA1 wouldlook as follows: Edit Key ED User Key 1 GGM User Key 2 GMA User Key 3MAA User Key 4 AA1

Note that the User Keys may be in any order in the cylinder's key list,their function i.e. Master, Grand Master etc. is dictated by the numberof Edit Key lists in which they appear.

Thus the key list within the cylinder operated by change key AA3 couldlook as follows: Edit Key ED User Key 1 MAA User Key 2 GMA User Key 3AA3 User Key 4 GGM

Using the notation developed above, it can be seen that the cylinderactivated by change key AB3 would look as follows: Edit Key ED User Key1 GGM User Key 2 GMA User Key 3 MAB User Key 4 AB3

and that activated by change key BB4 would look as follows: Edit Key EDUser Key 1 GGM User Key 2 GMB User Key 3 MBB User Key 4 BB4

Up to (say) 17 change keys could be allocated to each cylinder at level1; three User Key locations within the cylinder's list, would be takenby the key numbers for the Great Grand Master, Grand Master and Masterfor the set. The loss of a key within the set would necessitate there-loading of the key numbers within the cylinders. The number ofcylinders requiring the update would increase the higher the level ofthe key that was lost. Loss of the Great Grand Master would require there-loading of all of the cylinders in the set.

As the complexity of the system increases, the wisdom of using SecondaryUser Keys in the field, whilst keeping the Primary User Keys secure,increases. If Secondary User Keys were used in the field for the MasterKeys, then possession of the Primary User Key would allow a key'sremoval from the cylinder without having to re-load all the other keys.Change keys could be Primary User Keys as their loss only affects onecylinder, although as the number of change keys increases so does theinconvenience of having to re-enter the whole list.

Cross Keying

Cross keying of the cylinders can be accomplished by having the numberof a change key present in a number of cylinders. If complex crosskeying were to be employed, then it would make sense to use SecondaryUser Keys as the loss of a cross key could affect a number of cylinders.

Dealing with Large Numbers of Change Keys

In situations where a lock cylinder needs to be activated by a largenumber of change keys i.e. the front door to a building, this can beachieved by using the Keywriter to produce a large pool of SecondaryUser Keys. Should a key be lost, the original key containing the PrimaryNumber could be used to remove the key number from the cylinder's keylist. New keys could then be issued by writing new Secondary Numbers tothe Secondary Keys.

In the master-keying example given above, there is space in the Edit Keylist for up to 17 different change keys. In a very large installation,where many change keys are to be issued to operate the cylinder, each ofthese individual change keys may represent a large pool of SecondaryUser Keys. Thus if a key was lost, only those Secondary User Keys withinthe same group of keys would need to be altered.

Thus, the system of the present invention is intended to meet the needsof a user who does not want the overhead of a key management system inorder to gain the advantages of an electronic lock. The system may beused in a variety of lock systems, although to illustrate itsflexibility, it has been described above for use in a replacement lockcylinder. The advantage of the basic system described above is the easyre-keying of the lock processor and the use of keys which have a uniqueserial number drawn from a pool of greater than 280,000,000,000,000combinations. This basic system can be expanded, thereby furtherincreasing the versatility of the system, by the use of a keywriter asdescribed above. The system maintains a high level of security becausethe list of keys which can operate a cylinder is only kept within thecylinder, and at no time will the lock processor release the serialnumbers of valid keys in its list. Although a user could find out theserial number of a key using the keywriter, the user does not need toknow its number in order to use it.

Although a specific exemplary embodiment of the present invention hasbeen described above, it will be appreciated by a person skilled in theart that modifications and variations can be made to the describedembodiment without departing from the scope of the invention as definedin the appended claims.

1. An electronic access control system for application to a lockmechanism comprising a lock and one or more keys for operating saidlock, said electronic access control system comprising first memorymeans disposed in or on said one or more keys, identification data whichis unique to a respective key being stored in a non-changeable,non-deletable manner in said first memory means, the electronic accesscontrol system further comprising second memory means and processingmeans disposed in or on said lock for storing data representative of oneor more keys authorised to operate said lock, for reading theidentification data stored in or on a key which is applied to orinserted into said lock, and for causing said lock to operate only ifthe read identification data relates to a key authorised to operate saidlock.
 2. An electronic access control system according to claim 1,wherein the one or more keys authorised to operate said lock areselected from a pool of keys, each of which is provided with uniqueidentification data.
 3. An electronic access control system according toclaim 1, wherein identification data representative of a key authorisedto operate said lock may be read from said first memory means and storedin said second memory means when said key is applied to or inserted intosaid lock.
 4. An electronic access control system according to claim 3,wherein said second memory means and processing means are arranged tooperate in at least two selectable modes, an edit mode and a normalmode, wherein in said edit mode, identification data can be added to ordeleted from said second memory means,and in said normal mode, said lockcan be operated by said one or more authorised keys.
 5. An electronicaccess control system according to claim 4, wherein one key of a set ofkeys associated with a particular lock is defined in said second memorymeans and processing means as an ‘edit key’, said edit key beingarranged to cause said second memory means and processing means tooperate in said edit mode.
 6. An electronic access control systemaccording to claim 5, wherein said edit key causes said second memorymeans and processing means to enter said edit mode upon application orinsertion thereof to said lock.
 7. An electronic access control systemaccording to claim 5, wherein said edit key is not configured to operatesaid lock.
 8. An electronic access control system according to claim 5,wherein all identification data stored in said second memory means canbe deleted by application or insertion of said edit key to said lock fora predetermined period of time.
 9. An electronic access control systemaccording to claim 5, wherein in said edit mode, identification dataassociated with one or more keys authorised to operate said lock can beadded to or deleted from said second memory means by application orinsertion to said lock of said respective one or more keys, and/orwherein in said edit mode, identification data associated with one ormore keys authorised to operate said lock can be added to or deletedfrom said second memory means by application or insertion to said lockof said edit key.
 10. An electronic access control system according toclaim 9, wherein in said edit mode, if a key whose identification datais not stored in said second memory means is applied or inserted intosaid lock, said identification data is read and stored in said secondmemory means, and if a key whose identification data is stored in saidsecond memory means is applied or inserted into said lock, saididentification data is deleted from said second memory means.
 11. Anelectronic access control system according to claim 1, wherein said oneor more keys is or are each provided with indicator means which isoperated when a key applied or inserted into said lock is determined tobe authorised to operate said lock.
 12. An electronic access controlsystem according to claim 1, wherein when it is determined that a keyapplied or inserted into said lock is authorised to operate said lock,the lock will remain operable for a predetermined period of time only,following which it is arranged to return to its inoperable state.
 13. Anelectronic access control system according to claim 1, wherein one ormore additional memory means are provided in or on said one or morekeys, the or each additional memory means being arranged to store theunique identification data relating to another key.
 14. An electronicaccess control system according to claim 13, comprising a key writingunit for copying the unique identification data relating to a first key(from said first memory means) to an additional memory means in or on asecond key, the unique identification data relating to said second keyremaining in its respective first memory means.
 15. An electronic accesscontrol system according to claim 13, wherein when a key is applied orinserted into said lock, the processing means determines if the uniqueidentification data relating to said key is stored in said second memorymeans, if so, it causes said lock to operate, if not, it determines ifany additional identification data is stored in said one or moreadditional storage means, if so, it determines if said additional datais stored in said second memory means, and if so, it causes said lock tooperate.
 16. (canceled)
 17. A method of providing an electronic accesscontrol system for application to a lock mechanism comprising a lock andone or more keys for operating said lock, said method comprising thesteps of providing a plurality of keys in or on each of which is storedunique identification data in a non-changeable, non-deletable manner,selecting one or more of said plurality of keys and storing the uniqueidentification data relating to the or each selected key of one or morekeys in memory means provided in or on said lock, reading theidentification data stored in or on a key which is applied to orinserted into said lock, causing said lock to operate only if the readidentification data relates to a key authorised to operate said lock.18. (canceled)